SP3 Architecture Diagram (Icon)

Single Pass Parallel Processing (SP3) Architecture

Palo Alto Networks next-generation firewalls are based on a unique Single Pass Parallel Processing (SP3) Architecture, designed to enable high-throughput, low-latency network security, even while incorporating advanced features and technologies.

The SP3 architecture solves performance challenges common in security infrastructure by combining two complementary components:

  • Single Pass software
  • Parallel Processing hardware

This combination delivers the necessary raw throughput, transaction processing speed, and robust network security required by modern high-performance networks.

SP3 Architecture Overview Diagram
SP3 Architecture Overview

Single Pass Software

The Single Pass software performs operations only once per packet. As a packet is processed, networking functions, policy lookup, application identification (App-ID) and decoding, and signature matching for all threats and content (Content-ID) are performed simultaneously. This significantly reduces processing overhead compared to architectures requiring multiple passes or proxies.

Furthermore, the content scanning is stream-based and uses uniform signature matching, avoiding the latency introduced by file proxies that require full file downloads before scanning. This Single Pass approach enables high throughput and low latency with all security functions active and simplifies policy management.

Parallel Processing Hardware

To ensure the Single Pass software runs efficiently, Palo Alto Networks firewalls utilize Parallel Processing hardware. Key elements include:

  • Separate Data and Control Planes: Heavy utilization of the control plane (e.g., running reports, configuration changes) does not negatively impact the data plane's packet processing performance.
  • Specialized Processing Units: Discrete hardware components handle specific tasks in parallel:
    • Networking Processor: Manages routing, flow lookup, NAT, and statistics counting.
    • Security Processor (Multi-Core): Handles User-ID, App-ID, policy enforcement, and includes hardware acceleration for encryption/decryption and decompression.
    • Content Scanning Engine: Dedicated, specialized processor for Content-ID analysis.
    • Management Processor (Control Plane): Dedicated CPU, RAM, and disk drive configuration management, logging, and reporting without impacting data processing.

This unique combination of Single Pass software and Parallel Processing hardware allows Palo Alto Networks firewalls to provide deep visibility and granular control over network traffic at high performance levels.